Archive for ‘Misc’

29/07/2015

CNET Update – Most Android phones can be hacked with one text

  

باحثون في مجال تكنولوجيا المعلومات أن جميع هواتف آندرويد بلا استثناء معرضة للاختراق، كل ما يتطلبه الأمر هو مجرد رسالة نصية واحدة مع فيديو أو صورة محمل عليها الشيفرات الخبيثة.

وكشف الباحثون أن هذا الاختراق يُمكّن الهاكر من السيطرة والتحكم بالكامل في الهاتف المخترق، ويمكنه أن يخترق 95% من هواتف وأجهزة آندرويد حول العالم، والتي قدرها الباحثون بحوالي 950 مليون جهاز.

وأوضح الخبراء الأمر أن الطريقة بسيطة جدا، حيث يرسل الهاكر رسالة نصية قصيرة بها صورة مُحمّلة أو مقطع فيديو قصير، وبمجرد فتح الرابط، يتحكم الهاكر في الهاتف تماما، ويمكنه التجسس على المستخدم ومراقبته، باستخدام سماعات الهاتف وكاميراته الأمامية والخلفية، وأيضا اقتحام حساباته على وسائل التواصل الاجتماعية وإرسال الرسائل منها، والأخطر هو أيضا إمكانية التعامل مع الحسابات البنكية، إذا كانت بيانات بطاقات الائتمان مُخزنة على الهاتف.

وينصح الخبراء حاملي هواتف آندرويد على وجه الخصوص بعدم الضغط على أي رابط من مصدر غير موثوق فيه، لأنه بمجرد الضغط على الرابط يتحكم الهاكر في الهاتف في غضون ثوان معدودة.

وبالرغم من أن غوغل سارعت بمعالجة نقاط الضعف هذه ، ولكن يبقى السؤال : كم سيستغرقه الأمر من وقت حتى يصل الإصلاح لجميع هواتف آندرويد في العالم ؟

28/07/2015

Cloud Computing terms that you must know

Editor’s note on July 22, 2015: This cloud glossary was first written by Deb Shinder and published March 16, 2010. Since then, new cloud terms have entered the industry’s vernacular, and some terms have changed or are no longer used. James Sanders has added to and revised this list to reflect current trends and products. You can still read Deb’s original version after the article break.

Advertising-based pricing model

A pricing model whereby services are offered to customers at low or no cost, with the service provider being compensated by advertisers whose ads are delivered to the consumer along with the service.

Amazon Elastic Compute Cloud (EC2)

Part of Amazon Web Services (AWS), EC2 provides scalable computing capacity in the cloud, which developers can use to deploy scalable applications.

Amazon Simple Storage Service (S3)

Part of AWS, S3 allows for the storage and retrieval of data. It can also be used to host static websites.

Apache Hadoop

An open-source software framework for distributed storage and processing of large sets of data.

AWS

The organizational unit of Amazon that provides a variety of cloud services. AWS operates from 11 physical locations across North and South America, Europe, Asia, and Australia.

Content delivery network (CDN)

A distributed system consisting of servers in discrete physical locations, configured in a way that clients can access the server closest to them on the network, thereby improving speeds.

Cloud portability

The ability to move applications and data from one cloud provider to another. See also Vendor lock-in.

Cluster

A group of linked computers that work together as if they were a single computer, for high availability and/or load balancing.

Consumer cloud

Cloud computing offerings targeted toward individuals for personal use, such as Dropbox or iCloud.

Consumption-based pricing model

A pricing model whereby the service provider charges its customers based on the amount of the service the customer consumes, rather than a time-based fee. For example, a cloud storage provider might charge per gigabyte of information stored. See also Subscription-based pricing model.

Content Management Interoperability Services (CMIS)

An open standard for controlling content and document management systems and repositories using web protocols.

Customer self-service

A feature that allows customers to provision, manage, and terminate services themselves, without involving the service provider, via a web interface or programmatic calls to service APIs.

Docker

Open-source software that automates the deployment of applications inside virtualized software containers.

Elastic computing

The ability to dynamically provision and deprovision computing and storage resources to stretch to the demands of peak usage, without the need to worry about capacity planning and engineering around uneven usage patterns.

Hardware as a Service (HaaS)

Also see IaaS.

Hybrid cloud

The combination of a public cloud provider (such as AWS) with a private cloud platform. The public and private cloud infrastructures operate independently of each other, and integrate using software and processes that allow for the portability of data and applications.

Infrastructure as a Service (IaaS)

Cloud infrastructure services in which a virtualized environment is delivered as a service by the cloud provider. This infrastructure can include servers, network equipment, and software, including a complete desktop environment such as Windows or Linux.

Microsoft Azure

Microsoft’s cloud platform that provides a myriad of Platform as a Service (PaaS) and IaaS offerings, including Microsoft-specific and third-party standards, for developers to deploy cloud applications and services.

Middleware

Software that sits between applications and operating systems, consisting of a set of services that enable interoperability in support of distributed architectures by passing data between applications. So, for example, the data in one database can be accessed through another database.

Multitenancy

The existence of multiple clients sharing resources (services or applications) on distinct physical hardware. Due to the on-demand nature of cloud, most services are multi tenant.

OpenStack

A free and open-source cloud computing software platform used to control pools of processing, storage, and networking resources in a datacenter.

PaaS

Cloud platform services, whereby the computing platform (operating system and associated services) is delivered as a service over the internet by the provider.

Software as a Service (SaaS)

Cloud application services, whereby applications are delivered over the internet by the provider so the applications don’t have to be purchased, installed, and run on the customer’s computers. SaaS providers were previously referred to as application service providers.

Salesforce

An online SaaS company that is best known for delivering customer relationship management (CRM) software to companies over the internet.

Service migration

The act of moving from one cloud service or vendor to another.

Service level agreement (SLA)

A contractual agreement by which a service provider defines the level of service, responsibilities, priorities, and guarantees regarding availability, performance, and other aspects of the service.

Social networking service (SNS)

Used in enterprises for collaboration, file sharing, and knowledge transfer; among the most common platforms are Microsoft’s Yammer, and Salesforce’s Chatter. Often called enterprise social software to differentiate between “traditional” SNS platforms such as Facebook or LinkedIn.

Software plus services

The combination of cloud-hosted services with locally running software. This method allows for using the local system for processing power while relying on cloud operations for software license verification, portable identities, syncing between devices, and file storage.

Subscription-based pricing model

A pricing model that lets customers pay a fee to use the service for a particular time period, often used for SaaS services. See also Consumption-based pricing model.

Utility computing

A provisioning model in which services are available as needed, and users are charged for specific usage, in a manner similar to municipal utilities such as electricity or water.

Vendor lock-in

Dependency upon a particular cloud vendor and low ability to migrate between vendors due to an absence of support for standardized protocols, APIs, data structures (schema), and/or service models.

Vertical cloud

A cloud computing environment optimized for use and built around the compliance needs of specialized industries, such as healthcare, financial services, and government operations.

Virtual private cloud (VPC)

A private cloud that exists within a shared or public cloud, e.g., the Amazon VPC that allows Amazon EC2 to connect to legacy infrastructure on an IPsec VPN.

Sent from my iPadmc

26/07/2015

10 VC blogs every startup founder should be reading

Some of the best resources for learning about life as a startup founder are the blogs written by venture capitalists. These investors were often entrepreneurs beforehand, and provide key insights to what it takes to successfully run a business.

Here are ten blogs written by VCs that can provide some serious insight for entrepreneurs.

1. FeldThoughts

FeldThoughts is the personal website of Brad Feld, a managing director at Foundry Group in Colorado. Posts on FeldThoughts cover a variety of topics from startup best practices to Feld’s personal life. His archive of posts is well-categorized and tagged, making it easy to find information on a problem you may be having.

2. Tomasz Tunguz

Redpoint VC Tomasz Tunguz maintains a great blog on fundraising and the lifecycle of a startup. Posts are generally data-heavy, including graphs and charts showing trends in a particular market or sector. His insight on startup benchmarks will be particularly helpful for first-time founders.

3. Bothsides of the Table

Mark Suster’s blog Bothsides of the Table delivers on its name in that Suster shares insight from the perspective of both the founder and the investor. Suster also runs an interview show called BothSidesTV that is worth checking out.

4. Ben’s Blog

Ben’s Blog is the blog of Ben Horowitz, the latter half of VC firm Andreessen Horowitz. The blog offers wisdom to entrepreneurs and more traditional professionals as well, plus he starts every post with rap lyrics. Posts are short enough to be easily digestible, but provide serious value.

5. AVC

Fred Wilson, of Union Square Ventures, has been investing as a VC since 1986. His wealth of experience yields unique and useful posts on his blog AVC. Wilson posts every day, often with a compelling chart of infographic.

6. CDixon Blog

Chris Dixon is a partner at Andreessen Horowitz, but before that he founded a few successful startups and operated as personal investor in some of the top tech startups such as Warby Parker, Stripe, and Pinterest. His blog focuses on individual companies and markets, and he has great thoughts on both. He doesn’t post as often as some others on this list, but the post quality makes up for the lack of frequency.

7. For Entrepreneurs

For Entrepreneurs is a blog by David Skok, of Matrix Partners. Skok often posts proprietary industry survey results and provides great details on SaaS startups, especially. Enterprise and general B2B startups should get a lot out of this blog.

8. Hunter Walk | 99% Humble, 1% Brag

Hunter Walk is an early stage investor with Homebrew. His blog is a good read for young entrepreneurs and anyone trying to figure out what it takes to get their company off the ground. There are also a few interesting posts on how VC funds operate too.

9. Open Source Venture Capital

Subtitled “How I learned to stop worrying and love entrepreneurs,” Open Source Venture Capital is the blog of Fred Destin, of Accel in London. While his posts are infrequent, they are often long and very detailed. The posts are great to read on your commute or on a short flight.

10. Above the Crowd

Another blog that offers substantial posts is Bill Gurley’s Above the Crowd. Gurley has been at Benchmark for more than a decade and his posts are great for understanding new trends in tech and the models of successful startups.

Sent from my iPadc

21/07/2015

Former Hacking Team staff investigated in cyber-attack inquiry

Hacking Team, named by Reporters Without Borders on its Enemies of the Internet list, last week suffered the theft of around 400GB of sensitive data. The case against the ex-employees began in May when Hacking Team CEO David Vincenzetti filed a complaint against them for having revealed the details of source code to a third party. That case has reportedly now been combined with the cyber-attack investigation.

The stolen data trove was dumped to whistleblower site WikiLeaks, which published details of the Italian company’s clients, which include law enforcement agencies and governments from the Americas, Europe and the Middle East.

Hacking Team defends its business by arguing that its software is used for civil and national security purposes and that it does not count oppressive regimes among its customers. But the data dump reveals the company did business with a number of countries it had previously denied dealing with, including Sudan.

The company released a statement that condemned the actions of the hackers, pointing out that “terrorists, extortionists and others can deploy this technology at will if they have the technical ability to do so”.

Sent from my iPadc

15/07/2015

8 penetration testing tools that will do the job

If the probability of your assets being prodded by attackers foreign and domestic doesn’t scare the bejesus out of you, don’t read this article. If you’re operating in the same realm of reality as the rest of us, here’s your shot at redemption via some solid preventive pen testing advice from a genuine pro.

CSO speaks with pen test tool designer/programmer/aficionado, Evan Saez, Cyber Threat Intelligence Analyst, LIFARS, about the latest and greatest of these tools and how to apply them.

Available pen test tools

The pen test tools for this discussion are Metasploit, the Nessus Vulnerability Scanner, Nmap, Burp Suite, OWASP ZAP, SQLmap, Kali Linux, and Jawfish(Evan Saez is a developer on the Jawfish project). These tools are key to securing your enterprise because these are the same kinds of tools that attackers use. If you don’t find your holes and seal them, they will exploit them.

Metasploit is a framework with a large programmer fan base that adds custom modules, test tools that test for weaknesses in operating systems and applications. People release these custom modules on GitHub and Bitbucket. Bitbucket, like GitHub is an online repository for coding projects. “Metasploit is the most popular pen test tool,” says Saez.

The Nessus Vulnerability Scanner is a popular, signature-based tool for locating vulnerabilities. “Nessus’ can only compare scans to a database of known vulnerability signatures,” says Saez.

The Nmap network scanner enables pen testers to determine the types of computers, servers, and hardware the enterprise has on its network. The fact that these machines are identifiable via these external probes is in itself a vulnerability. Attackers use this information to lay the ground work for attacks.

Burp Suite is another popular web application pen test tool. It maps and analyzes web applications, finding and exploiting vulnerabilities, according to Burp Suite web security tool vendor, PortSwigger.

OWASP ZAP (Zed Attack Proxy) is the web application pen test tool from nonprofit OWASP, the Open Web Application Security Project. ZAP offers automated and manual web application scanning in order to serve the novice and the established professional pen tester. ZAP is an open source tool now available on GitHub.

SQLmap automates the discovery of SQL Injection holes. It then exploits those vulnerabilities and takes complete control of databases and underlying servers.

Metasploit is the most popular pen test tool.
Evan Saez, Cyber Threat Intelligence Analyst, LIFARS

Kali Linux is an all-in-one tool comprising a suite of dedicated, pre-installed penetration testing (and security and forensics) tools. “It has tools for people who have no knowledge of security,” says Saez.

Unlike most tools, which are signature-based, Jawfish is a pen test tool that uses genetic algorithms. “Genetic algorithms look for things in the context of search,” says Saez. Based on search criteria, as Jawfish gets closer to what it is looking for, in this case a vulnerability, it can find a result. Jawfish does not require a signature database.

How to use them

Metasploit, the Nessus Vulnerability Scanner, Nmap, Burp Suite, OWASP ZAP, SQLmap, Kali Linux, and Jawfish each have their uses. Most enterprises will need multiple tools. Metasploit offers both a Ruby interface and a CLI so your pen tester can opt for one or the other, depending on what you are trying to do. “The Ruby interface is more useful for testing a very large network because running commands in a CLI would be too tedious for that,” says Saez.

Nessus Vulnerability Scanner checks computers and firewalls for open ports and for installations of potentially vulnerable software. “As far as pen testing, this tool is less useful as it is very noisy and goes in through the front door, communicating with the OS to determine vulnerabilities. This tool is normally used for compliance efforts to simply determine whether patches are up to date,” says Garrett Payer, Lead Technologist, ICF International, a large technology solutions provider.

Apply Nmap to search for hosts, open ports, software versions, operating systems, hardware versions, and vulnerabilities—generally mapping the network’s attack surface. It is useful at each stage of pen testing, wherever you have a new set of hosts, ports, and other resources to identify, such as when entering a new network segment. “This tool has a scripting feature and is useful for enumerating user access,” says Payer.

Use Burp Suite with your web browser to map web applications. The tools inside Burp Suite discover application functionality and security holes and then launch custom attacks. Burp Suite automates repetitive functions while retaining user choice where the pen tester needs to have control of individualized options for testing. “This very feature rich tool investigates cross site scripting and other vulnerabilities using a proxy,” says Payer; “it allows some transparency into what the website is actually sending to the server.”

OWASP ZAP performs a variety of scans and tests including port scanning, brute force scanning, and fuzzing in order to identify unsecure code. Pen testers use an intuitive GUI similar to that of a Microsoft application or certain web design tools (such as Arachnophilia). Once you surf and perform activities on a website, you enter ZAP again to see the code and what transpired during those activities. When set as a proxy server, OWASP ZAP controls the web traffic that it processes. “This tool is newer than Burp Suite, is not as feature rich, but is free and open source. It provides a subset of features and a GUI that are useful for people who are just entering web application pen testing,” says Payer.

Leverage SQLmap to test improperly coded sites and URLs attached to databases via python commands in a command line. If a malformed URL (link) to database information draws an error code, then the link is subject to attack. SQLmap installs on Ubuntu Linux, inside a VM. “Another script-friendly tool, SQLmap can determine such things as whether the programmer has parameterized the inputs,” says Payer. If he hasn’t, a pen tester or an attacker could forward a name, semi-colon, and an SQL command, for example, and run it on the database, gaining control, explains Payer.

Install Kali Linux and open any one of more than a dozen pen testing / exploit tools bundled with it. “Kali Linux comes with a lot of user documentation,” says Saez.

You can try the Jawfish pen test tool using the available GUI form. Simply input an IP address for the server, a vulnerable web address at that IP address, then the vulnerability, method, and goal text. The tool returns the goal text when you have successfully hacked the address. This tool is entirely new and not vetted for enterprise adoption.

Compare, select, use, and patch

You will want to select tools based on where your most costly vulnerabilities lie. Once you find your vulnerabilities, it’s important to patch them if there is a patch available, or secure around them if it is not.

Sent from my iPadc

15/07/2015

Three financial best practices for startups

Running a startup is a balancing act. You’re in charge of handling every aspect of the business, hiring the right people, and keeping everything on the right side of the law.

One of your most important jobs as a startup founder is money manager. Capital is the lifeblood of a startup. If you don’t learn to manage your money early, your company will die.

Properly handling finances can extend your runway and give you more time to work on your business. Here are three financial best startups to help you make better moves with your money.

Separate business and personal finances

As an entrepreneur, you’re probably brimming with excitement about your new idea. In that excitement, though, make sure you do not make careless mistakes with your money. One of the biggest mistakes you can make is to mix up the financials of your startup with your personal cash. This isn’t to say you can’t use existing capital to partially fund the business, but you should open a dedicated checking account for the business itself and conduct all transactions through that account.

If you fail to properly separate your personal and startup finances, you could deal with potential tax problems depending on how you incorporated and could face trouble raising funds later on. At the very least, it will probably create a giant mess.

For example, Rick Coplin, vice president of Community Partner Ventures, used to work with an entrepreneur who hired a programmer and a designer for website development that she paid for out of her personal checking account. For the first couple years, he said, the entrepreneur even used her social security number on the tax forms instead of the business ID.

“We caught this early enough to avoid serious complications in terms of investment, but she had to spend time and resources to correct two years worth of personal and business tax returns.”

Think harder about equity

Equity is not just about value. It is also about control.

When it comes to funding, startups commonly exchange equity for capital, giving partial ownership of the company to an investor or investment firm. There’s absolutely nothing wrong with raising capital this way, but you have to be sure it’s the right move.

These days, there are more ways than ever to secure financing for your startup, and not all of them come with an equity price tag, such as grants and SBA loans. Michael Hardy, a certified financial planner at Mollot & Hardy, Inc., said that many of the startups he works with can get started and operate on a smaller budget than what’s generally expected.

“My advice is to use a chunk of your own resources until it’s absolutely necessary to get a loan or sell shares of the company,” Hardy said.

Another point at which equity comes into play is in exchange for services, or to hire a key executive. Equity is one of the biggest enticements for potential employees, but it shouldn’t always be a given.

“A better course of action may be to establish an employee pool with 10-15% of the company equity,” Coplin said. “New employees can participate in a program based on their position and potential contribution.”

Study the business

This may seem like common sense, but creating a habit out of studying some of the key business metrics of your startup can help prevent issues from arising in the future. Keep detailed records and be sure to consistently review your financial statements.

“Understand the components. Engage a CPA to learn how to look at a balance sheet and be disciplined about going through them on a regular and frequent basis,” said Liz Sillay of Waller Lansden Dortch & Davis, LLP.

You’re a business, and the goal of a business is to make money. So, start by taking a look at just how much money is coming in — your revenue. But, don’t stop there. Think about your revenue in terms of your profitability, or how much money you have after accounting for operating expenses.

“Revenue is the most common number used when describing the financials of a business and for attracting the interest of investors, however, it only tells part of the story of the financial aspects of a business,” Coplin said.

Now, if your business is losing money — don’t panic yet. You’re likely to lose money, especially in the early days. And, investors understand that, Coplin said, but they also expect that, at a certain point, your revenue will pass your costs, and you’ll be profitable. Then, hopefully, the profit margin will continue to grow showing that your business is scalable.

Sent from my iPadc

09/07/2015

Industrial espionage group hacked Apple, Facebook, Microsoft

Rob Wright
A sophisticated hacker group has been attacking billion-dollar companies such as Apple, Facebook, and Microsoft in recent years for the purposes of committing industrial espionage, according to security researchers.

Symantec and Kaspersky Lab both released reports about the group Wednesday, claiming that Apple, Facebook, Twitter, Microsoft and other multinational companies have been victimized by it. Both vendors claim the group, which Symantec refers to as “Morpho” and Kaspersky calls “Wild Neutron,” is not a state-sponsored threat actor and is instead a powerful, well-

resourced entity focused on financial gains — one that uses a variety of attack techniques to obtain insider information from top U.S. corporations.

group operates at a much higher level than the average cybercrime gang,” Symantec’s report stated. “It is not interested in stealing credit card details or customer databases and is instead focused on high level corporate information. Morpho may be selling this information to the highest bidder or may be operating as hackers for hire. Stolen information could also be used for insider trading purposes.”

According to Kaspersky’s report, the hacker group has been active since 2011 but first gained notoriety in 2013 with successful attacks on Apple, Facebook, Twitter and Microsoft that exploited a Java zero-day flaw and used hacked Web forums as watering holes.

After the companies disclosed these attacks, the hacker group went dark, according to the reports. But Kaspersky said the attacks resumed in late 2013 and into 2014 and affected a variety of different companies in the legal, health care, real estate and technology industry verticals as well as Bitcoin-related companies, investment firms and companies involved in merger and acquisition deals.

Symantec said its investigation has found the group’s attacks have affected 49 different organizations in more than 20 different countries. Kaspersky said the latest round of attacks this year involved a stolen digital certificate originally issued to Taiwanese PC maker Acer and an unknown Flash Player exploit.

Kaspersky’s report said the hacker group is unique in terms of its approach and its engagement in industrial espionage. “Compared to other APT groups, Wild Neutron is one of the most unusual ones we’ve analysed and tracked,” Kaspersky’s report stated. “Active since 2011, the group has been using at least one zero-day exploit, custom malware and tools and managed to keep a relatively solid opsec, which so far eluded most attribution efforts.”

Neither Symantec nor Kaspersky have determined the origin of the attacks. Symantec noted that the hacker group’s command and control server activity peaks during U.S. working day hours, which suggests that some or all of the members are operating in region. Both vendors warned that the group is still active today.

09/07/2015

Hacking Team 0-Day Shows Widespread Dangers Of All Offense, No Defense

Sara Peters

While the Italian surveillance company sells government agencies high-end zero-day proof-of-concept exploits, it secures root systems with the password ‘P4ssword.’ What’s vulnerability commoditization got to do with it?

A critical zero-day vulnerability can fetch a high price on the black market. Or everyone can have it for free, and criminals can pack it into a variety of exploit kits and roll it into the wild. Super-sophisticated spyware may require great skill to develop or lots of cash to buy in the criminal underground. Or, the source code could just show up on BitTorrent, and be good to go with a little customization.

This week’s doxing attack and breach of Italian surveillance software company Hacking Team shows just how such things can happen — a combination of great offense and terrible defense.

The attacker who has now taken responsibility for the Hacking Team breach hasn’t revealed his methods yet, but based upon what we now know about the company’s internal security, bad password practices — not just by regular users, but by security staff — likely has something to do with it.

Is this all preventable, or is this to be expected when vulnerabilities are commoditized, and the highest bidders are not the companies whose software needs fixing?

The breach

Milan-based Hacking Team sells highly invasive surveillance software, but only, it says, to government; specifically to governments that have kept off the U.S., E.U., U.N., NATO or ASEAN blacklists. However, the attackers revealed internal documents showing that Hacking Team had also sold its products and services to countries with histories of human rights violations, including Sudan, Egypt, Russia, and many others.

Also, the source code for the company’s flagship software, Remote Control System, was breached. The company told its customers to cease use of the product until further notice.

Also revealed Monday: Hacking Team was discovering and selling software vulnerabilities and proof-of-concept exploit code. Among them was a critical Adobe Flash vulnerability (with POC) affecting all versions of Flash running in Internet Explorer, Firefox, Chrome, and Safari on Windows, Mac, and Linux. It was disclosed to Adobe by Google Project Zero and researcher Morgan Marquis-Boire, and has been dubbed CVE-2015-5119.

From vulnerability to exploit

It appears that Hacking Team did sell CVE-2015-5119, because according to Trend Micro research released today, it was used in limited attacks in Japan and Korea before the vulnerability was publicly revealed in this week’s breach. Trend Micro first found exploits July 1, but they may have started in late June.

The rest of the world got access to the vulnerability Monday. Jerome Segura, senior security researcher of Malwarebytes Labs, says normally, attackers would take a few days to convert a vulnerability into an exploit.

“This one,” he says, “I knew it was going to be faster.”

Usually, attackers don’t have clear, extensive documentation to help them develop exploits. Yet, that’s precisely the sort of information Hacking Team provided to their customers, and was thus was leaked to the world.

“All the code was there, with instructions,” Segura says. “Here it is on a silver platter.”

By Tuesday at 3 p.m., Malwarebytes Labs saw code compromising the vulnerability in the wild, as part of the Neutrino exploit kit. Within minutes it appeared in the Angler, then the Nuclear exploit kits, too.

“Which was very strange,” he says. “Almost like the bad guys were working together or they were racing each other.” He doesn’t believe they were actually working together, because the exploits were different.

Adobe issued an advisory Tuesday, stating that the “successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.”

One of the payloads being spread by exploiting this zero-day is the CryptoWall 3.0 ransomware, according to Trend Micro. Adobe released a patch today and advises to install the patch as soon as possible.

Bad defense

How was Hacking Team compromised, allowing this gray-hat tradecraft to emerge? Bad passwords, possibly.

“Phineas Fisher” has come forth to take responsibility for the attack, but so far he’s not sharing details.

However, there is reason to believe bad passwords and overuse of them is partly to blame. According to data exposed in the doxing attack, the company’s managing director used the password “Passw0rd” across every corporate system. And it wasn’t just the non-IT staff. Among the root passwords exposed is “P4ssword.” That is a popular choice for the company’s senior security and systems engineer Christian Pozzi, according to reports that he uses the same username/password combination, with the weak password P4ssword for many accounts accessed via Firefox.

“The Hacking Team is composed of hackers and security engineers working for the government. They have access to highly confidential data and they likely have a target on their back,” says Darren Guccione, CEO of Keeper Security. “Despite whether these passwords were currently in-use or the cause of the breach, reusing the same passwords or using weak passwords is a serious cause for concern for a team of government security experts and hackers.”

Segura says that security experts need to apply the same best practices to the software they put on the market, particularly since it often runs with higher privileges than regular applications.

“We go after malware and we’re good at it, but how many of our products are secure? That’s a question we have to ask ourselves,” he says. “Anti-virus is installed on a lot of machines. That itself is a really nice target. … We know [attackers] don’t like us. But they haven’t gone yet to ‘we’re not going to disable you, we’re going to use you.'”

0-Days for Sale

“The case where I have the most concern is the non-disclosure of the zero-day,” says Fengmin Gong, founder and CSO of Cyphort. “Not disclosing it responsibly to a vendor … I think that is a very dangerous precedent.”

Gong says vendors are aware they’re in competition with criminals for getting their hands on vulnerabilities first, which is why they started paying bug bounties.

Yet, when the “good guys” get into the business of selling vulnerabilities too, “It’s very hard to draw that line of who to sell to,” Gong says.

Even if they are ethical about choosing their customers, Gong adds that businesses like Hacking Team cannot be sure their customers will be the only ones to use those products, or if they’ll give them to someone else. “That’s why that whole business is a risky proposition to begin with,” he says.

[Gong’s colleague, Cyphort malware reverse engineer Marion Marschalek, along with Morgan Marquis-Boire who reported the Flash vulnerability to Adobe, will be presenting a session about the “peculiarities of nation-state malware research” at Black Hat next month.]

“The market for zero-day vulnerabilities is alive and well and as the Hacking Team breach has revealed is also highly profitable,” says Ken Westin, senior security analyst for Tripwire. “As many governments move to try and control malware and offensive security tools, some have been caught with their own hands in the cookie jar, leading many to wonder how and why governments and agencies listed as Hacking Team clients are using these tools and if they are doing so lawfully.”

“Governments around the world are focusing their resources on offensive techniques, which means, ironically, they are doing many of the same things as the ‘bad guys’ — building malware and surveillance tools similar to spyware,” says Mark Kraynak, chief product officer of Imperva. “If anyone is worried about the distribution of malware information represented by this breach, they should remember the ‘bad guys’ are already using these exploits and doing so much more with them.”

Gong points out that it isn’t just the zero-day the Hacking Team breach gave to the bad guys; it’s also the source code for the Remote Control System surveillance software — sophisticated spyware. That, he says, will have an impact we’ve yet to feel. “The underground will easily adopt them.”

Sent from my iPadc

03/07/2015

The era of IT-as-a-roadblock must come to an end right now

As other leaders are growing more aware of technology in the digital age, it is my belief that CIOs need to also invest, immerse in and speak the language of marketing, operations and finance. It is through this cross-pollination of competing skills and professions that an IT leader can have the most impact.

We talk business alignment and business driven priorities but in my experience IT leaders fail at truly understanding these needs and requirements. It is that old order taker-mentality: to some extent not only is there a failure to understand, it appears in many cases it is by design.

Our success is tied to, or should be tied, to delivering more value than a CMO or a COO could by both intimately understanding the problem and the traversing the technology.

If we want to be passive observers of our organizational priorities and marginalize ourselves then we have no right to complain about why we are not given our due share of respect at the executive table.

This attitude both confounds me and infuriates me. Bad leaders shift accountability to others and in so doing also dilute their power base. Good leaders take charge and take on innovation and creativity as a badge to wear everywhere.

We do not have enough good leaders, we do not have enough CIO trend setters that will take a chance for the sake of their business and the sake of themselves and it is ruining it for the rest of us.

If you see a leader or are managed by one that justifies IT-as-a-roadblock by way of process or methodology and promotes the “that isn’t our job mentality” than say something because these leaders are from a bygone era and have no place in modern organizations.

We need to think strategically, act tactically, drive methodically and think technically. If we do this we will provide more value than any other C-level position because we understand what needs to be done, can demonstrate the courage to do it and the experience to do it technically right.

In my view CIOs, if they act properly and integrate themselves within other business disciplines, can easily become the next CEO – not the next doorman.

The Naked CIO is an anonymous technology executive.

Sent from my iPadc

03/07/2015

Does anyone still want to be a CIO?

I recently read about Professor Thomas Davenport, who teaches MBA-level courses at Babson College. The professor asked his students to indicate by a show of hands who aspired to the top corporate IT job: CIO. As with several past informal surveys, not a single student raised their hand.

Every leader is now an IT leader

The CIO role was once the obvious choice for a technology-oriented executive. After all, aside from a few product-focused roles, there were few opportunities to lead the tech decisions of a large organization.

However, as IT has transitioned away from data centers and standalone IT groups at the tactical level, it’s also become a core component of most other leadership roles. Leadership positions from the Chief Operating Officer (COO) to the Chief Marketing Officer (CMO) must now exhibit the tech savvy that was once the province of IT.

Additionally, the CIO role is saddled with significant operational baggage. We’ve all heard the stories of Fortune 500 CIOs being summoned to fix a peer’s laptop or wayward projector, and while these anecdotes are amusing, if rare, most CIOs are still ultimately responsible for everything from network operations to email delivery. It’s understandable that a role where you’re blamed for every ERP outage is less attractive than a CMO role that’s responsible for digital marketing strategy, or COOs developing an innovative Internet of Things proof-of-concept.

Is the CIO role worth saving?

With non-IT roles now controlling many of the most interesting and innovative aspects of corporate IT, and the CIO saddled with a massive portfolio of “utility” technologies that only generate interest when they fail, it begs the question: if no one wants to do this job, is it a role worth keeping? Additionally, the “death” of the CIO role has long been predicted, though it was often due to the role disappearing, rather than the decrease in the number of people interested in filling that role.

There’s a legitimate need for operationally-focused IT leaders who can manage a cadre of staff that “keep the lights on” while also formulating a strategic IT vision. Where the CIO role is inherently flawed is that it often expects the same person to be equipped to handle both these diverse disciplines.

At the executive level, companies should consider separating the operational and strategic disciplines, depending on the needs of the company. As cloud services and the ability to outsource many of these operational functions grows, there’s an opportunity to accelerate this shift. Even without resorting to external parties, savvy companies can equip CIOs with the appropriate authority and discretion to build effective operational staff, and stop expecting that CIOs should be equal parts strategist and technician. Essentially, the CIO becomes an internal consultant who charts the future course for corporate IT, and leverages internal and external resources to execute that vision.

Preparing for an empty seat

While this internal consultant role has long been suggested by myself and others, there’s a strong possibility that few qualified candidates will actually want this role, as evidenced by Professor Davenport’s students. If this trend continues, companies will increasingly have to push operational IT management to mid-level roles, vendors, or line of business IT managers. While this scenario is viable, it will require someone on the executive team to ensure a consistent and thoughtful IT evolution, lest each tech savvy leader effectively implement their own distinct IT vision.

The bottom line

Pundits have long hypothesized that the CIO role is “dead.” Rather than dozens of candidates clamoring for a non-existent role, perhaps companies should prepare for an empty CIO chair, with no one interested in filling it, even as we enter a new “golden age” of IT.

Sent from my iPadc

30/06/2015

Most VPNs leak user details, study shows

Researchers have found nearly 80% of popular VPN providers leak information about the user because of a vulnerability known as IPv6 leakage

Most virtual private network (VPN) services used by hundreds of thousands of people to protect their identity online are vulnerable to leaks, a study has revealed.

VPNs are used by around 20% of European internet users to encrypt communicationsto circumvent censorship, avoid mass surveillance and access geographically limited services, such as BBC iPlayer.

But a study of 14 popular VPN providers found that eleven of them leaked information about the user because of a vulnerability known as IPv6 leakage, according to researchers at Queen Mary University of London (QMUL).

The leaked information ranged from the websites a user is accessing to the actual content of user communications, such as comments posted on forums. However, interactions with websites running HTTPS encryption, which includes financial transactions, were not subject to leaks.

The leakage occurs because network operators are increasingly deploying a new version of the protocol used to run the internet called IPv6, which is set to replace IPv4, but many VPNs currently only protect user’s IPv4 traffic.

For the study, the researchers connected various devices to a Wi-Fi access point, which was designed to mimic the attacks hackers might use.

Researchers attempted two of the kinds of attacks that might be used to gather user data. One was passive monitoring, which simply collects unencrypted information that has passed through the access point. The other was DNS hijacking, which redirects browsers to a controlled web server by pretending to be commonly visited websites, such as Google and Facebook.

The study also examined the security of various mobile platforms when using VPNs and found they were much more secure when using Apple’s iOS, but were still vulnerable to leakage when using Google’s Android.

“There are a variety of reasons why someone might want to hide their identity online. It is worrying they might be vulnerable despite using a service specifically designed to protect them,” said Gareth Tyson, a lecturer from QMUL and co-author of the study.

“We are most concerned for those people trying to protect their browsing from oppressive regimes. They could be emboldened by their supposed anonymity, while actually they’re revealing all their data and online activity and exposing themselves to possible repercussions,” he said.

The paper A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients will be presented at the Privacy Enhancing Technologies Symposium in Philadelphia on 30 June 2015.

In August 2011, Computer Weekly quoted James Lyne, currently the research chief at security firm Sophos, as saying criminals were already capitalising on the fact that few people are filtering IPv6 traffic or even know how to.

In the transition period, Lyne advised businesses turn off IPv6 until they are thoroughly prepared for the security implications of the new protocol and have updated all security filters and controls in their networks. Only switch IPv6 on, he said, once the controls are in place.

There is no instant switch to the new protocol, said Lyne, so partial adoption means using tunnelling technologies to transport IPv6 over IPv4, and this kind of workaround is another potential source of confusion, misconfiguration and security gaps.

It is important businesses understand if their web security solution can rate and analyse IPv6 content, he said, because without that ability, users will be vulnerable to attacks.

Sent from my iPadc

24/06/2015

Google scolds businesses for citing security as a reason not to use cloud

Google has hit out at users that continue to cite security as a major barrier to public cloud adoption, claiming their data will be safer there than on-premise.

The search giant made the claim at its Google Next conference in east London on 23 June, while talking up the business benefits of using its Compute Engine infrastructure-as-a-service (IaaS) offering.

During the event’s opening keynote, Greg DeMichillie, director of product management for Google’s Cloud Platform, said companies are mistaken if they think storing their data on-premise will keep it safe.

“There was a time when security was the reason not to move to the cloud, but with the Home Depot, Target, Sony Pictures and the latest United States government’s Office of Personnel Management breaches, quickly customers are realising you are more secure in the cloud with Google than you are by yourself,” he said.

One of the reasons for that is because Google has the scope and scale to invest large sums in security personnel, and far more so than your average enterprise.

“We have more than 500 professional security researchers at Google,” said DeMichillie. “These are people doing penetration testing, fuzzing our software with random bad API [application programming interface] calls, and doing in-depth security readings. Very few of you could afford 500 security researchers.”

To emphasise this point, he explained that Google researchers are regularly the first to uncover high-profile security vulnerabilities, such as the Heartbleed OpenSSL fault that came to light in spring 2014.

“It was a pretty bad vulnerability that prompted everybody to massively patch their systems, but what you may not know is that Heartbleed was found by a Google researcher, and that means Google systems were among the first to be patched. Most of them were fully patched before the first full public disclosure was made about the vulnerability,” said DeMichillie.

Google also builds all of the infrastructure that underpins its cloud services, which provides it with an extra layer of protection against hackers, he said.

“We are a full stack creator. If we were an independent server manufacturer, we’d be in the top five list of server manufacturers globally because we build all our own infrastructure,” said DeMichillie.

“We build our own machines, we design our own hardware specifications, our own software specifications, and this minimises the attack surface because you can’t go and buy a Google server, set it up at home and probe it for vulnerabilities.

“All of that is our way of saying, if you thought you couldn’t use a cloud platform because of security, you actually have it backwards. Being on a cloud platform will actually make you more secure,” he concluded

Sent from my iPadc

21/06/2015

The diagram that scares the next generation of banking IT professionals

The next generation of IT professionals in the banking sector will face the same legacy headache as their predecessors

This diagram was picked up at an event recently. It depicts all the individual processing components and their interdependencies in a single mortgage system at a large, full-service retail bank.

Big banks have thousands of systems providing current accounts, savings accounts, mortgages, loans and many more. All of these will have a diagram similar to this associated with them. Some systems at banks are now only understood by a couple of people, and newcomers to IT are not prepared.

But banks must take on this challenge or face threats from more agile competitors targeting specific financial services. So what can they do?

Here are some potential options outlined by a senior banking IT executive:

  • Forget changing systems and try to remove complexity. This is what often happens when the people making the decisions are near retirement or can’t stomach a multi-year, multibillion-pound project.
  • Buy a modern core banking platform off the shelf, get it working, connect it and migrate everything from legacy systems onto it.
  • Acquire one of the growing number of new banks with their state-of-the-art IT, and eventually move the whole bank onto these modern systems, which can be tailored to the bank’s needs.
  • Spend money on a state-of-the-art system and make it pay through acquiring other banks and moving them to the platform.
  • Artificial intelligence (AI) could solve complexity issues. For example IPSoft’s AI customer service platform, known as Amelia, can read all instruction manuals and automated fixes and could possibly support legacy transformation.

Jean Louis Bravard, IT outsourcing consultant and former JP Morgan CIO, said: “Nobody has the balls to replace legacy systems at the big banks.” Although RBS has worked out the problem, he said recovering from it will involve painstaking manual work to ensure no mistakes.

Legacy systems can be replaced, but big banks are not taking it on because they are led by people who don’t understand technology. “The root cause of this is that banks are being managed by former traders,” said Bravard. “Under this leadership, no big bank is going to invest huge sums of money over five years with no return on it.”

Sent from my iPadc

12/06/2015

HP Wireless LAN Planning Tool

  

Follow

Get every new post delivered to your Inbox.

Join 266 other followers